Get the most out of your Centmin Mod LEMP stack
Become a Member

OpenSSL [PATCH]30-40% ECDSA performance improvement - OpenSSL 1.1

Discussion in 'CentOS, Redhat & Oracle Linux News' started by buik, Jan 2, 2018.

  1. eva2000

    eva2000 Administrator Staff Member

    45,206
    10,280
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,934
    Local Time:
    8:55 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    cheers @bassie patch worked
    Code (Text):
    cat /root/centminlogs/patch_opensslpatches_150818-012328.log
    
    ######################################################################
    Patching OpenSSL 1.1.0i
    ######################################################################
    30-40% performance improvement patch for ECDSA
    https://community.centminmod.com/posts/57725/
    ######################################################################
    /svr-setup/openssl-1.1.0i /svr-setup/openssl-1.1.0i
    patch -p1 < /usr/local/src/centminmod/patches/openssl/OpenSSL1.1i-improve-ECDSA-sign-30-40.patch
    patching file ECDSA-PATCH-CHANGELOG
    patching file crypto/ec/asm/ecp_nistz256-armv8.pl
    patching file crypto/ec/asm/ecp_nistz256-x86_64.pl
    patching file crypto/ec/ec_err.c
    patching file crypto/ec/ec_lcl.h
    Hunk #2 succeeded at 553 (offset 16 lines).
    Hunk #3 succeeded at 629 (offset 16 lines).
    patching file crypto/ec/ec_lib.c
    Hunk #1 succeeded at 257 (offset 1 line).
    Hunk #2 succeeded at 964 (offset 5 lines).
    Hunk #3 succeeded at 1009 (offset 5 lines).
    patching file crypto/ec/ecdsa_ossl.c
    Hunk #1 succeeded at 144 with fuzz 2 (offset -9 lines).
    patching file crypto/ec/ecp_nistz256.c
    Hunk #3 succeeded at 1488 (offset -16 lines).
    Hunk #4 succeeded at 1720 (offset -16 lines).
    patching file crypto/perlasm/x86_64-xlate.pl
    patching file include/openssl/ec.h
    /svr-setup/openssl-1.1.0i
    

    benchmarks before and after patching
    Code (Text):
    /opt/openssl/bin/openssl version -a
    OpenSSL 1.1.0i  14 Aug 2018
    built on: reproducible build, date unspecified
    platform: linux-x86_64
    options:  bn(64,64) rc4(16x,int) des(int) idea(int) blowfish(ptr)
    compiler: ccache gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DNDEBUG -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/opt/openssl\"" -DENGINESDIR="\"/opt/openssl/lib/engines-1.1\""  -Wa,--noexecstack
    OPENSSLDIR: "/opt/openssl"
    ENGINESDIR: "/opt/openssl/lib/engines-1.1"
    


    On Intel Xeon E3-1270v1 4CT/8T dedicated server with 16GB RAM and 240GB SSD

    before patching OpenSSL 1.1.0i


    Code (Text):
    /opt/openssl/bin/openssl speed -multi 8 rsa2048 ecdsap256
    
    OpenSSL 1.1.0i  14 Aug 2018
    built on: reproducible build, date unspecified
    options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr)
    compiler: ccache gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DNDEBUG -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/opt/openssl\"" -DENGINESDIR="\"/opt/openssl/lib/engines-1.1\""  -Wa,--noexecstack
                      sign    verify    sign/s verify/s
    rsa 2048 bits 0.000270s 0.000008s   3710.0 127752.2
                                  sign    verify    sign/s verify/s
     256 bit ecdsa (nistp256)   0.0000s   0.0000s  86956.5  34483.7
    


    after patching OpenSSL 1.1.0i


    Code (Text):
    /opt/openssl/bin/openssl speed -multi 8 rsa2048 ecdsap256
    
    OpenSSL 1.1.0i  14 Aug 2018
    built on: reproducible build, date unspecified
    options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr)
    compiler: ccache gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DNDEBUG -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/opt/openssl\"" -DENGINESDIR="\"/opt/openssl/lib/engines-1.1\""  -Wa,--noexecstack
                      sign    verify    sign/s verify/s
    rsa 2048 bits 0.000270s 0.000008s   3696.9 128008.2
                                  sign    verify    sign/s verify/s
     256 bit ecdsa (nistp256)   0.0000s   0.0000s 121212.1  37736.7
    

    ECDSA performance patch has +39.39% faster ECDSA signs/s and +9.43% faster ECDSA verify/s :). Of course newer cpus will have better ECDSA performance but patch boost is nice :)
    OpenSSL 1.1.0i before vs after ECDSA Performance Patch rsa 2048 signs/s rsa 2048 verify/s ecdsa 256bit signs/s ecdsa 256bit verify/s
    OpenSSL 1.1.0i before ECDSA patch 3710.0 127752.2 86956.5 34483.7
    OpenSSL 1.1.0i after ECDSA patch 3696.9 128008.2 121212.1 37736.7
     
  2. buik

    buik “A winner never stops trying.” Premium Member

    1,304
    358
    83
    Apr 29, 2016
    Ratings:
    +1,067
    Local Time:
    12:55 AM
    Nice to hear that the up-to-date patch is working as it should be:)
     
  3. rdan

    rdan Well-Known Member

    4,983
    1,185
    113
    May 25, 2014
    Ratings:
    +1,804
    Local Time:
    6:55 AM
    Mainline
    10.2
    :( Sad for us using your patch for openssl 1.1.0.
     
  4. eva2000

    eva2000 Administrator Staff Member

    45,206
    10,280
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,934
    Local Time:
    8:55 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
  5. buik

    buik “A winner never stops trying.” Premium Member

    1,304
    358
    83
    Apr 29, 2016
    Ratings:
    +1,067
    Local Time:
    12:55 AM
    No problem. There is always someone to test the code with test sites for example @eva2000
     
  6. buik

    buik “A winner never stops trying.” Premium Member

    1,304
    358
    83
    Apr 29, 2016
    Ratings:
    +1,067
    Local Time:
    12:55 AM
  7. eva2000

    eva2000 Administrator Staff Member

    45,206
    10,280
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,934
    Local Time:
    8:55 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
  8. buik

    buik “A winner never stops trying.” Premium Member

    1,304
    358
    83
    Apr 29, 2016
    Ratings:
    +1,067
    Local Time:
    12:55 AM
    Ok gonna update the patch with the upscaled OpenSSL 1.1.0i version number.
    Then it is clearer for visitors that it is compatible with the latest OpenSSL 1.1.0i.